b'\x0c\x0c           Smithsonian Institution\n           Office of the Inspector General\n\n\n           In Brief                                Smithsonian Institution Network\n                                                   Report Number A-06-07, August 10, 2007\n\n\n\nWhy We Did This Evaluation            What We Found\n\nUnder the Federal Information         The Smithsonian Institution\xe2\x80\x99s general support system, SInet, consists of routers,\nSecurity Management Act of 2002       switches, access servers, file servers, mail servers, domain name servers, intrusion\n(FISMA), the Office of the            detection systems, firewalls, and network monitoring systems.\nInspector General (OIG) conducts\nan annual independent                 Management, operational, and technical controls over SInet were not adequate.\nassessment of the Institution\xe2\x80\x99s       Our audit noted that the Institution operates in a decentralized environment\ninformation security system. As       where responsibility for both performing functions and enforcing IT controls has\npart of that assessment, FISMA        been assigned to the same individuals. Furthermore, because responsibility for\nrequires a review of a subset of      administration and security of SInet has not been centralized under the Office of\ninformation systems. This report      the Chief Information Officer (OCIO), IT security policies and procedures\ncovers one such system, SInet,        documented by OCIO have not been consistently implemented or followed.\nand evaluates SInet management,       Specifically, we found that:\noperational, and technical security\ncontrols.                             \xc2\x83   Because of weaknesses over the administration of network accounts,\n                                          management cannot ensure that unauthorized individuals do not have access\n                                          to SInet or that resources residing on it are obtained through the use of\n                                          legitimate accounts.\nWhat We Recommended\n                                      \xc2\x83   Vendor patches and fixes to the network operating system for known\nWe made 17 recommendations to             vulnerabilities need to be installed more timely to reduce the risk of successful\nstrengthen controls over SInet by         intrusions, sabotage, and theft or destruction of critical or sensitive data.\nenforcing Institution policies,\nprocedures, and practices over        \xc2\x83   Management has not enforced proper separation of administrative and\nnetwork account administration,           security functions and therefore cannot ensure that individuals with high-\nsegregation of duties, and risk           level or sensitive access to the system will not perform unauthorized activities.\nassessments.\n                                      \xc2\x83   Risk assessments performed by the Institution did not adequately address the\nManagement generally concurred            risk and magnitude of harm that could result from unauthorized access to or\nwith the report\xe2\x80\x99s findings and            the unauthorized use, disclosure, disruption, modification, or destruction of\nrecommendations, with the                 information and systems that support the operations and assets of the\nexception of those relating to            Institution. Consequently, management cannot fully assess and prioritize all\nweaknesses in the development of          potential threats and vulnerabilities.\nthe SInet risk assessment.\n                                      Without adequate controls in place to enforce Institution policies, procedures,\n                                      and practices over SInet, the confidentiality, availability, and integrity of\n                                      Institution information systems and related data may be at greater risk than\n                                      management is willing to accept.\n\n\n\n                                      For additional information or a copy of the full report, contact the Office of\n                                      the Inspector General at (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c                                    REPORT ON\n                     FISCAL YEAR 2006 INDEPENDENT AUDIT OF THE\n                     SMITHSONIAN INSTITUTION\xe2\x80\x99S NETWORK (SINET)\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\xb7 Advisors\n635 Slaters Lane, 4th Floor\nAlexandria, Virginia 22314\n703.836.6701\nwww.cottoncpa.com\n\x0c                                      CONTENTS\n\nSection                                                    Page\nPurpose                                                      1\n\nBackground                                                  1\n\nObjective, Scope, and Methodology                           2\n\nResults\n   Network Account Administration Procedures are Weak       3\n   Technical Controls Over SInet Need to be Strengthened    5\n   Duties are Not Adequately Segregated                     6\n   Warning Banners are Not Consistently Applied             7\n   Session-Locking Controls are Not Implemented             8\n   Password Controls are Not Enforced                       9\n   Signed Rules of Behavior are Not Retained                9\n   Risk Assessments Do Not Address NIST Requirements       11\n   Wireless Policies and Procedures Need to be Updated     11\n\nSummary of Management Response                             13\n\nOffice of the Inspector General Comments                   14\n\nAppendix \xe2\x80\x93 Management Response                             16\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\n\n                                     REPORT ON\n                            FISCAL YEAR 2006 AUDIT OF THE\n                      SMITHSONIAN INSTITUTION\xe2\x80\x99S NETWORK (SINET)\n\nCotton & Company LLP conducted an audit of the Smithsonian Institution\xe2\x80\x99s network (SInet)\nsecurity management program and practices to determine the effectiveness of management,\noperational, and technical controls over the Institution\xe2\x80\x99s general support system.\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal\nInformation Security Management Act of 2002 (FISMA), was enacted to strengthen the security\nof federal government information systems. Although the E-Government Act of 2002 does not\napply to the Institution, the Institution supports the information security practices required by the\nAct because they are consistent with and advance the Institution\xe2\x80\x99s mission and strategic goals.\n\nFISMA outlines federal information security compliance criteria, including the requirement for an\nannual independent assessment by the Institution\xe2\x80\x99s Inspector General. This report covers the\nevaluation of the SInet security management practices and controls and supports the Smithsonian\nInstitution Office of the Inspector General (OIG) annual FISMA evaluation of the information\nsecurity controls implemented by the Institution.\n\nBACKGROUND\n\nFISMA, Office of Management and Budget (OMB) regulations, and National Institute of\nStandards and Technology (NIST) guidance outline minimum security requirements for federal\ninformation security programs. These include:\n\n     \xe2\x80\xa2 Annual System Self-Assessments. NIST\xe2\x80\x99s Security Self Assessment Guide for\n       Information Technology Systems contains specific control objectives and techniques\n       against which a system can be tested and measured. Performing a self-assessment and\n       mitigating any of the weaknesses found is an effective way to determine if the system or\n       the information it contains is adequately secured and protected from loss, misuse,\n       unauthorized access, or modification. OMB guidelines require organizations to use the\n       NIST self-assessment tool annually to evaluate each of their major systems.\n\n     \xe2\x80\xa2 Certification and Accreditation. NIST\xe2\x80\x99s Guide for the Security Certification and\n       Accreditation of Federal Information Systems states that systems should be certified and\n       accredited. A certification is \xe2\x80\x9ca comprehensive assessment of management, operational,\n       and technical security controls in an information system, made in support of security\n       accreditation, to determine the extent to which the controls are implemented correctly,\n       and operating as intended.\xe2\x80\x9d NIST guidance also discusses system accreditation, which is\n       \xe2\x80\x9cthe official management decision to authorize operation of an information system and to\n       explicitly accept the risk to operations, assets, or individuals based on the implementation\n       of the agreed-upon set of security controls.\xe2\x80\x9d Organizations should use the results of the\n       certification to reassess their risks and update system security plans to provide the basis\n       for making security accreditation decisions.\n\n\n\n\n                                                  1\n\x0cSmithsonian Institution OIG                                 FY2006 FISMA Review - SINET\n\n    \xe2\x80\xa2 System Security Plan. NIST\xe2\x80\x99s Guide for Developing Security Plans for Information\n      Technology Systems requires that all major application and general support systems be\n      covered by a security plan. The plan provides an overview of the security requirements of\n      a system and describes controls in place or planned for meeting those requirements.\n      Additionally, the plan defines responsibilities and the expected behavior of all individuals\n      accessing the system. The NIST guide also instructs that the security plan should describe\n      the management, operational, and technical controls the organization has implemented to\n      protect the system. Among other things, these controls include user identification and\n      authentication procedures, contingency/disaster recovery planning, application software\n      maintenance, data validation, and security awareness training.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOn behalf of the OIG, Cotton & Company performed an independent audit over SInet, the\nInstitution\xe2\x80\x99s general support system. We conducted this audit in accordance with Government\nAuditing Standards, 2003 Revision, as amended, promulgated by the Comptroller General of the\nUnited States. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence that provides a reasonable basis for our findings and conclusions based on\nour audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. This report is intended to meet the\nobjectives described below and should not be used for other purposes.\n\nSInet is composed of routers, switches, access servers, file servers, mail servers, domain names\nservers, intrusion detection systems, firewalls, and network monitoring systems. This system is\nlocated throughout the SI campus in almost every building, from large museum facilities to\nanimal houses at the National Zoo. The network spans 5 states, the District of Columbia, and one\nforeign country (Panama).\n\nThe objectives of this independent audit were to evaluate and report on the existence and\neffectiveness of management, operational and technical security controls over SInet and to\ndetermine if required baselines had been adequately documented and implemented. We evaluated\nSInet general controls as of August 31, 2006, using NIST\xe2\x80\x99s Special Publication (SP) 800-53A,\n\xe2\x80\x9cGuide for Assessing the Security Controls in Federal Information Systems,\xe2\x80\x9d which applies to\nsecurity controls defined in NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems.\xe2\x80\x9d We tested NIST SP 800-53 general controls through interviews,\nobservation, and specific testing procedures where applicable.\n\nIn addition we completed detailed audit procedures for SInet technical controls securing the\nInstitution\xe2\x80\x99s border firewall, routers, and use of wireless technologies. Our detailed audit\nprocedures for SInet technical controls included carrying out:\n\n      \xe2\x80\xa2   External and internal penetration testing procedures\n      \xe2\x80\xa2   External and internal vulnerability assessment procedures\n      \xe2\x80\xa2   Wireless review to determine where the Institution was using wireless and whether\n          wireless access points were adequately secured.\n\n\n\n\n                                                2\n\x0cSmithsonian Institution OIG                                    FY2006 FISMA Review - SINET\n\nRESULTS\n\nManagement, operational, and technical controls over the Institution\xe2\x80\x99s general support system\nwere not adequate. Our audit of the Institution\xe2\x80\x99s general support system noted that the Institution\noperates in a decentralized environment where responsibility for both performing functions and\nenforcing IT controls has been assigned to the same individuals. Responsibility for administration\nand security of SInet has not been centralized under the Office of the Chief Information Officer\n(OCIO) and, as a result, IT security policies and procedures documented by OCIO have not been\nconsistently implemented or followed. Without adequate controls in place to enforce Institution\npolicies, procedures, and practices over SInet the confidentiality, availability, and integrity of\nInstitution systems and related data may be at greater risk than management is willing to accept.\nSpecific control weaknesses are detailed below.\n\nNetwork Account Administration Procedures are Weak\n\nControls over the administration of SInet accounts are not adequate. Responsibility for adding,\ndeleting, and maintaining SInet accounts has been assigned to various administrators across the\nInstitution, and system administrators are not managing SInet accounts in accordance with\nInstitution or NIST policy. The decentralized administration of SInet contributes to accounts\nbeing maintained in an inconsistent manner. In addition, because OCIO does not centrally\nadminister accounts for SInet, they were not performing any periodic reviews of active SInet\naccounts to ensure these accounts are appropriate.\n\nSInet administrators are responsible for reviewing SInet accounts and reporting results of their\nreviews to the Computer Security Manager in OCIO in the Dormant Account Monthly\nCompliance Report. We reviewed the reports submitted to OCIO for May and June 2006 and\nnoted that the reports did not include adequate information on administrators\xe2\x80\x99 account reviews.\n\nOCIO\xe2\x80\x99s Technical Standard & Guideline IT-930-02 Security Controls Manual section 3.1.2 User\nAccount Management states:\n\n          System administrators are responsible for reviewing accounts once every 30 days to\n          identify accounts that have been inactive for 30 days. System administrators will disable\n          accounts that have been inactive for 30 days. System administrators will notify the local\n          manager that the account has been disabled and will be deleted after another 150 days\n          (for a total of 180 days of inactivity) unless the manager requests that the account be re-\n          enabled.\n\nOur review of SInet accounts listed as active noted that:\n\na. Active SInet user accounts totaled 8,116, of which 2,191 (or 27 percent) have been idle in\n   excess of 180 days.\n\n      \xe2\x80\xa2     51 user accounts in 2006 had no activity for more than 180 days\n      \xe2\x80\xa2     1,541 user accounts had no activity since 2005\n      \xe2\x80\xa2     179 user accounts had no activity since 2004\n      \xe2\x80\xa2     46 user accounts had no activity since 2003 or earlier\n      \xe2\x80\xa2     374 user accounts show \xe2\x80\x9cNone Found\xe2\x80\x9d for a last logon date\n\n\n\n\n                                                   3\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\nb. Active SInet system accounts (accounts used by the Windows operating system and by\n   services running under Windows) totaled 571, of which 394 (or 69 percent) have been idle in\n   excess of 180 days.\n\n      \xe2\x80\xa2      9 system accounts in 2006 had no activity for more than 180 days\n      \xe2\x80\xa2     58 system accounts had no activity since 2005\n      \xe2\x80\xa2     45 system accounts had no activity since 2004\n      \xe2\x80\xa2     88 system accounts had no activity since 2003 or earlier\n      \xe2\x80\xa2     194 system accounts show \xe2\x80\x9cNone Found\xe2\x80\x9d for a last logon date\n\nNIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\nTechnology Systems, section 3.5.2 (User Administration) under User Account Management\nstates:\n\n          Organizations should have a process for (1) requesting, establishing, issuing, and closing\n          user accounts; (2) tracking users and their respective access authorizations; and (3)\n          managing these functions.\n\nOur audit determined that accounts are not being promptly deleted when users leave the\nInstitution. We selected a random sample of 45 individuals whose employment with the\nInstitution was terminated during fiscal year 2006 and noted that 16 of the 45 (35%) still had\nactive user accounts on the network.\n\nFinally, we determined that access request forms for SInet are not adequately retained and\nperiodically reviewed to ensure a user\xe2\x80\x99s current access is still appropriate. SInet user\nNetwork/Email request forms are faxed to the OCIO helpdesk and kept in the Helpdesk Expert\nAutomation Tool (HEAT) system as a picture format. When we requested a sample of 45 user\nauthorization forms for review, OCIO was unable to provide the forms. We were informed that\nforms are searchable only by a requester\xe2\x80\x99s name or ticket number. There are no periodic reviews\nconducted to trace the system permission back to authorization documents.\n\nNIST SP 800-14 Section 3.5.2, Audit and Management Reviews, states:\n\n          It is necessary to periodically review user account management on a system. Reviews\n          should examine the levels of access each individual has, conformity with the concept of\n          least privilege, whether all accounts are still active, whether management authorizations\n          are up-to-date, whether required training has been completed, and so forth. These reviews\n          can be conducted on at least two levels: (1) on an application-by-application basis, or (2)\n          on a system wide basis.\n\nWithout adequate controls over the administration of network accounts, management has no\nmeans of ensuring unauthorized individuals do not have access to SInet and the resources residing\non it through the use of legitimate accounts. In addition, without an up-to-date and accurate list of\nauthorized users on SInet with supporting access request forms, management\xe2\x80\x99s ability to identify\nunauthorized accounts on the network is diminished.\n\n\n\n\n                                                  4\n\x0cSmithsonian Institution OIG                                                         FY2006 FISMA Review - SINET\n\nRecommendations\n\nWe recommend that the CIO:\n\n       1. Assign responsibility to someone within OCIO for periodically reviewing all SInet\n          system and user accounts to determine whether they are still necessary. For example,\n          periodic reviews should detect active accounts with no activity in the last 180 days or\n          accounts associated with individuals who have recently left the Institution.\n\n       2. Develop a policy and procedures for maintaining SInet access request forms in a format\n          which system or security administrators will be able to use for future reviews of network\n          accounts.\n\n       3. Centralize administration of SInet accounts for all SInet users within OCIO with the\n          exception of the Office of the Inspector General.1\n\nTechnical Controls Over SInet Need to be Strengthened\n\nControls need to be strengthened to ensure that significant technical weaknesses do not exist on\nSInet. The Institution\xe2\x80\x99s Technical Note IT-930-TN14, Vulnerability Scanning of Networked\nDevices, establishes procedures for performing vulnerability scanning of all devices connected to\nSInet. IT-930-TN14 assigns overall responsibility for vulnerability scanning to the Computer\nSecurity Manager and responsibility for fixing identified vulnerabilities to various individuals or\ngroups within the Institution.\n\nOur audit noted that OCIO is performing scans of SInet as required by Institution policy and these\nperiodic scans have identified numerous weaknesses, which OCIO is in the process of addressing.\nWe also performed technical testing (penetration testing and vulnerability assessment) both\ninternally and externally on SInet. During our testing we noted that OCIO appears to have strong\ncontrols in place for monitoring unauthorized activities on the network. On several occasions our\ninternal and external scans were identified by OCIO security personnel. In these instances, OCIO\ncut off our access until security personnel were able to determine our activities were authorized.\n\nNotwithstanding the controls for monitoring unauthorized activities, our internal and external\ntesting of SInet identified the following:\n\n       \xe2\x80\xa2     273 external vulnerabilities, of which 47 were high risk and 226 were medium risk.\n             Specific areas of external weakness included:\n\n                  o     RPC service vulnerabilities\n                  o     Web server configuration issues and vulnerabilities\n                  o     Multiple buffer overflows\n\n       \xe2\x80\xa2     178 internal vulnerabilities, of which 145 were high risk, 33 were medium risk, and no\n             low risk vulnerabilities found across 443 scanned machines. Specific internal areas of\n             weakness identified included:\n\n\n\n1\n    The OIG should continue to maintain administrative control over its accounts and data to ensure sensitive data obtained during the\n    normal course of business is adequately protected from unauthorized disclosure or modification and to maintain statutory\n    independence.\n                                                                    5\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\n            o    Web server configuration issues and vulnerabilities\n            o    Anonymous connections allowed to NetBios\n            o    Inappropriate permissions on important registry keys\n            o    Default SNMP community names and other SNMP related vulnerabilities\n            o    Multiple buffer overflows\n\nIn addition, although we were initially identified and blocked by OCIO security during our\ninternal testing, we were eventually able to gain administrative access to machines on SInet. We\nnoted several specific technical weaknesses and have separately communicated them to OCIO.\n\nMany of these weaknesses related to default configurations not being changed when systems\nwere installed or patches and hot fixes not being implemented in a timely manner. Best business\npractices (derived from NIST, NSA, and industry studies) for securing Windows, Unix, and\nNovell dictate that certain default configurations and permissions be changed to provide tighter\nsecurity over the operating system.\n\nDuring our audit we noted that the Institution has not implemented standard security\nconfiguration baselines for SInet. The implementation of baselines would in many cases address\nweaknesses identified in our audit. In our FY 2006 FISMA evaluation report we recommended\nthat the procedures to ensure existing policies requiring the use of standard baselines are\nimplemented and enforced. Additionally, although the Institution does have a documented policy\non patching (Technical Note IT-930-TN08 Implementing Vendor Software Patches/Fixes), we\ndetermined this policy is not being consistently followed or enforced.\n\nInstallation delays of vendor patches and fixes to the network operating system for known\nvulnerabilities exposes the Institution\xe2\x80\x99s network to an increased risk of successful hacker attacks.\nIt also increases the potential for network sabotage, theft of the organization\xe2\x80\x99s sensitive financial\nand personal data, and destruction and corruption of databases. Additionally, these unauthorized\nactivities can occur without detection, resulting in management\xe2\x80\x99s reliance on potentially\ninaccurate and incomplete financial and other information.\n\nRecommendations\n\nWe recommend that the CIO:\n\n    4. Enforce policies and procedures for ensuring that vendor patches and security hot-fixes\n       are installed in a timely manner.\n\n    5. Review results of our technical testing (provided during earlier meetings) to ensure\n       weaknesses identified have been addressed by management or identified in OCIO scans.\n       In addition, ensure critical weaknesses such as the ones identified in the SANS Top-20\n       are addressed first and lower-level risk items addressed later.\n\nDuties are Not Adequately Segregated\n\nControls are not adequate to ensure sensitive activities within SInet have been adequately\nsegregated. The SInet system security plan includes a section discussing separation of duties and\nspecifically states:\n\n\n\n\n                                                  6\n\x0cSmithsonian Institution OIG                                  FY2006 FISMA Review - SINET\n\n        Separation of duties is a well established security methodology. Moderate and High\n        impact systems have the following requirements: Applications should be designed,\n        implemented and operated in a manner that supports appropriate separation of duties.\n        This requirement means that the information system enforces separation of duties through\n        assigned access authorizations\xe2\x80\xa6Examples of separation of duties include: (i) mission\n        functions and distinct information system support functions are divided among different\n        individuals/roles; (ii) different individuals perform information system support functions\n        (e.g., system management, systems programming, quality assurance/testing,\n        configuration management, and network security); and (iii) security personnel who\n        administer access control functions do not administer audit functions.\n\nWe determined management has not enforced proper separation of administrative and security\nfunctions. For example, our audit noted individuals responsible for administration of SInet user\naccounts in many cases who are also responsible for the review of system audit logs. Security\nbest practices do not allow the same individual both to set up new users and review audit logs.\nWithout separation of administration and security functions, management cannot ensure\nindividuals with high-level or sensitive access to the system are not performing unauthorized\nactivities.\n\nRecommendation\n\n    6. We recommend that the CIO enforce separation of duty controls noted in the SInet\n       system security plan and specifically segregate system administration roles from security\n       roles.\n\nWarning Banners are Not Consistently Applied\n\nControls are not adequate to ensure SInet warning banners include language required by the\nInstitution and NIST. Specifically, we determined users currently log onto SInet through\nWindows 2003, Windows 2000, or Novell. Our review of warning banners for each of these\nplatforms noted that the associated warning banners contained different information and in some\ncases did not include adequate information to meet requirements outlined in the SInet system\nsecurity plan or NIST SP 800-53.\n\nWe determined that the Windows 2000 and Novell warning banners did not agree with the\nWindows 2003 warning banner. In addition, our review of Technical Standard Guideline IT-930-\n02, Security Control Manual Appendix C, noted that the suggested warning banner language in\nIT-930-02 did not address all information identified in NIST SP 800-53 and the SInet system\nsecurity plan. The SInet system security plan, section AC-8 System Use Notification, states:\n\n        A System Use Notification informs potential users: (i) that the user is accessing a U.S.\n        Government information system; (ii) that system usage may be monitored, recorded, and\n        subject to audit; (iii) that unauthorized use of the system is prohibited and subject to\n        criminal and civil penalties; and (iv) that use of the system indicates consent to\n        monitoring and recording. The system use notification message provides appropriate\n        privacy and security notices.\n\n        All Smithsonian systems must display, at the minimum, the System Use Notification\n        (Logon Warning Screen) shown in Appendix C. The System Use Notification must\n        remain on the screen until the user takes explicit actions to log on to the information\n        system.\n\n                                                 7\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\n        For publicly accessible systems: (i) the system use information must be available as\n        opposed to displaying the information before granting access; (ii) there should be no\n        references to monitoring, recording, or auditing since privacy accommodations for such\n        systems generally prohibit those activities; (iii) the notice given to public users of the\n        information system includes a description of the authorized uses of the system.\n\nWe noted that IT-930-02 did not              Unauthorized computer access is a criminal violation of\ninclude or make reference to:                the Computer Fraud and Abuse Act (18 U.S.C)\n\n\xc2\x83   The user is accessing a U.S.             System usage limitations are described in Smithsonian\n    Government information system            directive SD931. All users must read and understand\n\xc2\x83   System usage may be monitored,           Smithsonian Directive 931, sign a User Agreement, and\n    recorded, and subject to audit           take the online computer security awareness training\n                                             annually.\n\xc2\x83   Use of the system indicates consent\n    to monitoring and recording              Bypass of this banner implies understanding and\n                                             acceptance of the policies in SD 931 and agreement to\nWithout displaying adequate warning          obtain, use or disclose sensitive data only in connection\nbanners, which all individuals accessing     with performance of authorized official duties.\nthe Institution\xe2\x80\x99s general support system\nare required to agree with,                  While using Smithsonian computers and networks, you\nmanagement\xe2\x80\x99s ability to enforce              should have no expectation of privacy. Report any\npenalties for unauthorized activities is     violation of these policies to the Smithsonian Computer\ndiminished.                                  Security Manager, Bruce Daniels, at (202) 633-6000 or\n                                             William McGeehan at (202) 633-0632.\nRecommendations\n\nWe recommend that the CIO:\n\n    7. Update IT-930-02 to include language identified by NIST SP 800-53.\n\n    8. Update all SInet warning banners to ensure they are consistent and address all language\n       required by NIST SP 800-53.\n\nSession-Locking Controls are Not Implemented\n\nControls are not adequate to ensure workstations on SInet lock after a period of inactivity.\nAlthough we noted the Institution has developed a policy (IT-930-01 Activating Password-\nEnabled Screensaver) requiring users to configure their workstations to activate a password-\nprotected screensaver when the computer has been idle for 10 minutes or less, we noted this\npolicy has not been adequately implemented by users or enforced by the Directors of each\nmuseum, research institute, or office. Specifically, our audit identified workstations on SInet that\nwere not configured to activate a password-protected screensaver within the 10 minute required\ntime period.\n\nAdditionally, we noted that the Institution\xe2\x80\x99s current mixed environment of Windows and Novell\nprohibits them from effectively pushing down controls over inactivity to the user\xe2\x80\x99s workstation.\nWithout adequate controls in place to ensure that idle workstations lock after a period of\ninactivity, the risk of unauthorized individuals gaining access to an unattended workstation\nincreases.\n\n\n\n                                                 8\n\x0cSmithsonian Institution OIG                                 FY2006 FISMA Review - SINET\n\nRecommendations\n\nWe recommend the CIO:\n\n    9. Enforce Institution policy requiring activation of password-protected screensavers after a\n       period of inactivity not to exceed 10 minutes. For example, OCIO should consider\n       performing periodic random audits of user\xe2\x80\x99s workstations to ensure they are properly\n       configured.\n\n    10. Where feasible, use Microsoft Active Directory to push screensaver controls down to\n        user\xe2\x80\x99s workstations.\n\nPassword Controls are Not Enforced\n\nControls are not adequate to ensure passwords protecting users\xe2\x80\x99 SInet accounts comply with\nInstitution policy. Specifically, we determined users\xe2\x80\x99 SInet accounts are not being consistently\nconfigured to require users to change their password every 90 days.\n\nThe SInet system security plan section IA-5 Authenticator Management states:\n\n        Where supported by the software, passwords expire after 90 days and cannot be reused\n        for 12 generations.\n\nThe Institution has developed a policy that users are required to change their passwords every\n90 days, and system administrators are to periodically review their accounts. However, out of\n6,188 user accounts and 202 system-related accounts logged into during FY2006 (10/01/05\nthrough 07/20/06), we determined:\n\n    \xe2\x80\xa2 265, or 4%, of user accounts passwords had not been changed in over 90 days.\n    \xe2\x80\xa2 62, or 31%, of system accounts passwords had not been changed in over 90 days\n\nThrough interviews we learned that no assessments are conducted to ensure that administrators\nperiodically review the password controls and make changes in accordance with Institution\npolicy.\n\nRecommendation\n\n    11. We recommend that the CIO enforce Institution policy by ensuring SInet implements\n        strong password controls, including having passwords for all accounts change, at a\n        minimum, every 90 days.\n\nSigned Rules of Behavior are Not Retained\n\nControls are not adequate to ensure signed rules of behavior for all SInet users are on file.\nSmithsonian Directive (SD) 931, Use of Computers and Networks, documents rules of behavior,\nassignments of responsibility, and penalties for non-compliance. SD 931 states:\n\n\n\n\n                                                 9\n\x0cSmithsonian Institution OIG                                FY2006 FISMA Review - SINET\n\n        The Director, Office of Human Resources, ensures that:\n           \xe2\x80\xa2 Computer security awareness training is included in orientation of new\n               employees\n           \xe2\x80\xa2 Employees sign user agreements during orientation\n           \xe2\x80\xa2 Signed user agreements are retained in the official personnel files of all\n               employees.\n\n        The director of each museum, research institute, and office ensures that\n           \xe2\x80\xa2 Each user annually completes the online computer security awareness tutorial\n           \xe2\x80\xa2 Users who are not Smithsonian employees sign user agreements\n           \xe2\x80\xa2 Signed user agreements are retained in unit files.\n\nOur testing of a random sample of 45 SInet users noted that management could not provide\nsigned user agreements for 22 of the 45 employees and contractors tested. Specifically, we noted:\n\n    \xe2\x80\xa2   22 SInet accounts tested had signed user agreements.\n    \xe2\x80\xa2   One current employees\xe2\x80\x99 user agreement was signed, but the signature date was after the\n        time of our initial testing.\n    \xe2\x80\xa2   One current employees\xe2\x80\x99 user agreement could not be provided for review.\n    \xe2\x80\xa2   Signed user agreements for 16 contractors with access to SInet could not be provided.\n    \xe2\x80\xa2   Five SInet user accounts tested were for employees no longer working at the\n        Smithsonian. According to the Office of Human Resources, files for these employees\n        were purged so no signed user agreements were available for review.\n\nWithout signed user agreements, management\xe2\x80\x99s ability to hold users accountable for unauthorized\nor inappropriate activities on SInet decreases. In addition, without effectively communicating\nexpected behaviors to SInet users, management cannot be sure users are not unknowingly\nperforming unauthorized or risky activities on the network.\n\nRecommendations\n\nWe recommend that the Director, Office of Human Resources, and the CIO:\n\n    12. Work together to determine the best way to comply with Smithsonian policy SD 931, Use\n        of Computer and Networks, by retaining signed user agreements in the official personnel\n        files of all employees. Signed agreements should be retained in a format that can be\n        easily retrieved in the future.\n\nWe recommend that the CIO:\n\n    13. Require existing users of SInet who do not have signed agreements on file to re-sign user\n        agreements.\n\n    14. Develop and implement procedures to ensure that the director of each museum, research\n        institute, and office retains signed user agreements for non-Smithsonian personnel\n        working in their units as required by SD 931.\n\n\n\n\n                                               10\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\nRisk Assessments Do Not Address NIST Requirements\n\nControls are not adequate to ensure risk assessments performed by the Institution adequately\naddress the risk and magnitude of harm that could result from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems that\nsupport the operations and assets of the Institution. While OCIO did perform a risk assessment of\nSInet, this risk assessment did not address specific areas recommended by NIST SP 800-30 Risk\nManagement Guide for Information Technology Systems. Specifically, the SInet risk assessment,\nprovided by management, did not include:\n\n    \xe2\x80\xa2   List of threat sources that are a risk to SInet\n    \xe2\x80\xa2   List of the motivations or threat actions related to the threat sources\n    \xe2\x80\xa2   List of threat sources not tied to vulnerabilities\n    \xe2\x80\xa2   Identification of threats from system security testing results (vulnerability scans,\n        penetration testing, and security testing and evaluation)\n    \xe2\x80\xa2   Security requirements checklist\n    \xe2\x80\xa2   Identification of the likelihood, impact, or risk for each vulnerability\n    \xe2\x80\xa2   Risk-level matrix or a description of the risk levels\n\nIn addition, we noted the SInet risk assessment did not clearly identify a history of changes to the\nrisk assessment or names of individuals involved in performing the most recent risk assessment.\nWhile NIST does not specifically require this information to be included in the risk assessment,\nthis information is important to ensure all changes to the environment under review have been\naddressed and the right people have been included in the risk assessment process.\n\nWithout developing and maintaining a complete risk assessment, it becomes difficult for\nmanagement to assess and prioritize all potential threats and vulnerabilities.\n\nRecommendations:\n\nWe recommend that the CIO:\n\n    15. Revise the documented SInet risk assessment to reflect all requirements from NIST\n        SP 800-30.\n\n    16. Develop, document, and implement procedures to ensure future risk assessments address\n        all areas identified in NIST SP 800-30.\n\nWireless Policies and Procedures Need to be Updated\n\nControls are not adequate to ensure unauthorized or unencrypted wireless networks are not\nattached to SInet. OCIO has developed and documented a policy and procedures on the use of\nwireless technologies within the Institution. Technical Note IT-930-TN25, Wireless Networks and\nMobile Devices, states:\n\n        At this time wireless devices are specifically prohibited from connection to SInet. In\n        extraordinary circumstances and where adequate controls can be demonstrated a waiver\n        may be granted. The waiver must be approved by the Director Office of Information\n        Technology Operations (OITO), and the Smithsonian Computer Security Manager.\n        Implementation guidance will be approved as part of the waiver process. Waivers may be\n        granted for more than one calendar year.\n                                                 11\n\x0cSmithsonian Institution OIG                                  FY2006 FISMA Review - SINET\n\n        OCIO will monitor wireless access points and will take action to disconnect any\n        unapproved devices.\n\n        The computer security manager will use available tools to monitor Smithsonian computer\n        resources.\n\nHowever, our review of IT-930-TN25 noted that specific procedures have not been identified or\ndocumented for the computer security manager to follow when monitoring Smithsonian computer\nresources. The Institution\xe2\x80\x99s policy does not state how monitoring will occur or how often\nmonitoring should occur.\n\nWithout adequate monitoring procedures in place to identify unauthorized wireless networks,\nmanagement cannot be sure individuals with access to SInet are not creating unauthorized\nwireless networks. The introduction of unauthorized and in some cases unencrypted wireless\nnetworks to an Institution\xe2\x80\x99s infrastructure or general support system can greatly increase the risks\nof unauthorized individuals gaining access to Institution resources. The use of wireless\ntechnologies can lessen or eliminate the effectiveness of border security controls such as firewalls\nand routers by enabling individuals outside the Institution to attach to the wireless network and\nthus subvert established controls.\n\nRecommendation\n\n    17. We recommend that the CIO update current wireless polices and procedures to\n        specifically identify how management will periodically scan for or prohibit the\n        implementation of unauthorized wireless networks.\n\n\n\n\n                                                12\n\x0cSmithsonian Institution OIG                                   FY2006 FISMA Review - SINET\n\nSummary of Management\xe2\x80\x99s Response\n\nThe CIO\xe2\x80\x99s July 27, 2007, and the OHR Director\xe2\x80\x99s July 9, 2007, responses to our draft report\ngenerally concurred with our findings and 15 of our 17 recommendations to strengthen the\nmanagement, operational, and technical controls over the Smithsonian Institution Network. The\nCIO agrees with our assessment that policies and procedures for the administration and security\nof SInet have not been consistently applied. The CIO contends that the only viable long-term\nsolution to the decentralized environment is to consolidate IT responsibilities, along with the\nassignment of the needed staff to the various roles. The Institution\xe2\x80\x99s migration to Active\nDirectory also will significantly improve OCIO\xe2\x80\x99s ability to implement more stringent security\ncontrols.\n\nThe CIO stated that remediating identified vulnerabilities and enforcing proper separation of\nadministrative and security functions will require additional resources not currently budgeted for\nin OCIO. Moreover, management disagreed with our recommendations to ensure that the current\nSInet risk assessment and future risk assessments be strengthened. OCIO believes that their risk\nassessment already meets NIST requirements.\n\nManagement\xe2\x80\x99s planned actions are summarized below:\n\nRecommendation 1. Concur. OCIO will assign the responsibility for periodic review of all\nSInet system and user accounts to the OCIO Customer Service and Support Division by\nDecember 30, 2007.\n\nRecommendation 2. Concur. OCIO agreed to develop policy and procedures for maintaining\nSInet access request forms in a format which can be used for future account reviews by December\n30, 2007.\n\nRecommendation 3. Concur. OCIO will develop a policy to centralize administration of SInet\naccounts by January 31, 2008, for all SInet users within Active Directory. This Institution-wide\npolicy will include guidance for OIG accounts.\n\nRecommendation 4. Concur. OCIO will enforce policies and procedures for pushing vendor\nsecurity patches and security hot-fixes and has provided a target completion date of\nFebruary 28, 2008.\n\nRecommendation 5. Concur. OCIO agreed that the process for scanning for vulnerabilities and\nensuring that weaknesses are mitigated needs improvement. OCIO agreed to perform, by\nOctober 30, 2007, a SANs - top 20 \xe2\x80\x93 non-intrusive vulnerability scan against the identified IP\naddresses. OCIO agreed to remediate identified vulnerabilities, but indicated that current staffing\nlevels and the decentralized nature of the Institution make it difficult to assign responsibility for\nremediation.\n\nRecommendation 6. Concur. While OCIO agreed that separation of duties is desirable, due to\nlack of resources and funding they are not currently able to implement this recommendation.\nOCIO will request the establishment of a security position in the Office of Information\nTechnology Operations to assume responsibility for SInet security by early 2008 for inclusion in\nthe FY 2010 budget. In lieu of not securing the funding, OCIO will consider additional\nautomation tools to facilitate the monitoring of security controls and activities.\n\n\n\n                                                 13\n\x0cSmithsonian Institution OIG                                 FY2006 FISMA Review - SINET\n\nRecommendations 7 and 8. Concur. OCIO indicated that it will update IT-930-02 to include\nwarning banner language identified in NIST SP 800-53 and implement new banners for SInet\nActive Directory and Novell logins by July 30, 2007.\n\nRecommendations 9 and 10. Concur. OCIO will implement, by November 30, 2007, a group\npolicy in Active Directory requiring the activation of password-protected screensavers.\n\nRecommendation 11. Concur. Once all SI units move to Active Directory, no later than\nNovember 30, 2007, OCIO will improve enforcement of SI password policy as outlined in SD\n931.\n\nRecommendation 12. OHR and OCIO concur. OHR believes this recommendation to be\nunnecessary since there appears to be a single employee file identified during the audit that was\nmissing the signed user agreement. This file was for an employee who was subject to a staff\nreduction and the user agreement had likely been purged, in accordance with Office of Personnel\nManagement regulations. The Associate Director, OHR, conducted additional testing of 50\nemployees to ensure that signed user agreements were contained in the personnel folders and\nwithout exception all folders were compliant.\n\nRecommendations 13 and 14. Concur. Effective June 2007, OCIO has deployed an electronic\nsignature procedure whereby user agreements will be signed annually as part of the Computer\nSecurity Awareness Training process. To ensure that this process is operating as intended,\ncovering all employees, contractors, and other users with access to SInet, OCIO proposed a target\ncompletion date of September 30, 2008.\n\nRecommendations 15 and 16. Non-concur. OCIO believes the risk assessment documentation\nadequately reflects the intent and overall guidance of NIST SP 800-30.\n\nRecommendation 17. Concur. By September 30, 2007, OCIO will update existing policies to\nreflect management procedures for tracking down unauthorized wireless access points including\ninvestigating devices identified through OCIO network scans.\n\nWe include the full text of management\xe2\x80\x99s response in the Appendix to this report.\n\nOffice of the Inspector General Comments\n\nManagement\xe2\x80\x99s planned actions for recommendations 1 through 14 and 17 are responsive to the\nintent of our recommendations and we consider them resolved. For recommendation 3, we agree\nwith OCIO\xe2\x80\x99s planned actions to centralize administration of SInet accounts for all SInet users\nwithin OCIO. We understand that the inclusion of the OIG in this policy was not meant to suggest\nthat OCIO would be administering OIG accounts but merely providing guidance on\nadministration of forms. For reasons of independence, the OIG will administer its own accounts.\n\nFor recommendation 7, we verified that OCIO updated IT-930-02 to include warning banner\nlanguage identified in NIST SP 800-53. Therefore, we will close this recommendation. We also\nheld numerous discussions with OHR on recommendation 12. Based on OHR\xe2\x80\x99s assurances that it\nwill continue to require new employees to sign user agreements during orientation and file them\nin the personnel folder and OCIO\xe2\x80\x99s procedure that it implemented in June 2007 to have\nemployees electronically sign user agreements annually when taking security awareness training,\nwe consider this recommendation closed as well.\n\n\n                                               14\n\x0cSmithsonian Institution OIG                                FY2006 FISMA Review - SINET\n\n\nIn evaluating management\xe2\x80\x99s response to this report, we held several discussions with the IT\nSecurity Director in an effort to clarify and resolve areas of disagreement. The only\nrecommendations we could not ultimately reach resolution on are recommendations 15 and 16 on\nSInet\xe2\x80\x99s risk assessment. While OCIO indicates that it used the sample risk assessment in\nAppendix C of NIST SP 800-30, we believe that had OCIO followed the process prescribed in the\nbody of NIST SP 800-30, they would have identified several more significant risks. For example,\nthe SInet risk assessment does not consider the following:\n\n        \xc2\x83   The Institution\xe2\x80\x99s highly decentralized environment and numerous physical remote\n            locations result in a variety of personnel, remote access, networking and physical\n            security risks.\n        \xc2\x83   Temporary network users (such as researchers or summer interns).\n        \xc2\x83   The Institution is a high-profile organization making it an attractive target by\n            outsiders.\n        \xc2\x83   The potential for personally identifiable information (relating to federal or non-\n            federal employees, donors, and members of the public) being transmitted through the\n            general support system.\n\nWe, as well as Cotton & Co., continue to believe that the SInet risk assessment does not\nadequately address the NIST requirements detailed earlier in this report. OCIO\xe2\x80\x99s interpretation of\nthese missing items is inconsistent with how NIST describes each of them. For example,\nNIST SP 800-30 describes threat sources as who or what exploited the vulnerability and the threat\naction is the specific discussion of how the vulnerability can be exploited. In addition, the\nguidance also discusses the motivation of the threat source. While OCIO has listed threats, it has\nnot identified threat sources, actions, or motivations.\n\nDespite our disagreement on this issue, OCIO, our office and Cotton & Co. have committed to\nmeet to work on the development of a model Risk Assessment plan. We believe the development\nand implementation of such a plan would benefit all Smithsonian information systems and will\nsatisfy the intent of the recommendations.\n\nWe appreciate the courtesy and cooperation of Smithsonian representatives during this audit.\n\n\n\n\n                                               15\n\x0cSmithsonian Institution OIG           FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response\n\n\n\n\n                                 16\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       17\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       18\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       19\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       20\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       21\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       22\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       23\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       24\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       25\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       26\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       27\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review - SINET\n\nAppendix \xe2\x80\x93 Management Response (continued)\n\n\n\n\n                                       28\n\x0c'